Managing the Internal Audit Activity in Internal Audit by miannaveed

VIEWS: 83 PAGES: 24

More Info
									                                                                                                                                                         1
                         STUDY UNIT EIGHT
               MANAGING THE INTERNAL AUDIT ACTIVITY I


    8.1    Planning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .    2
    8.2    Communication of Plans . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .              5
    8.3    Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .     6
    8.4    Relationship with the Audit Committee . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .                     7
    8.5    Resource Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .              15
    8.6    Policies and Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .            22
    8.7    Study Unit 8 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .             24

  This is the first of two study units on management of the internal audit activity (IAA). According to
General Performance Standard 2000 – Managing the Internal Audit Activity,
          The chief audit executive should effectively manage the internal audit activity to ensure it
          adds value to the organization.
Practice Advisory 2000-1: Managing the Internal Audit Activity elaborates on this responsibility as
follows:
          1.      The chief audit executive is responsible for properly managing the internal audit activity
                  so that:
                  q         Engagement work fulfills the general purposes and responsibilities described in the
                            charter, approved by senior management, and accepted by the board.
                  q         Resources of the internal audit activity are efficiently and effectively employed.
                  q         Engagement work conforms to the International Standards for the Professional
                            Practice of Internal Auditing.
The chief audit executive (CAE) should (1) establish risk-based plans, (2) communicate plans and
resource needs to senior management and the board for their approval, (3) develop policies and
procedures, (4) coordinate efforts with other service providers, and (5) report periodically to senior
management and the board. The CAE also must develop a quality assurance and improvement
program for the IAA.

                                                              Core Concepts
s    The CAE establishes risk-based plans to determine the IAA’s priorities. They should be consistent
      with the goals of the organization.
s    Planning involves establishing (a) goals, (b) engagement work schedules, (c) staffing plans and
      financial budgets, and (d) activity reports.
s    Plans should be based on risk assessment.
s    The audit universe includes components of the organization’s strategic plan.
s    The CAE communicates plans and resource requirements to senior management and the board
      for review and approval.
s    The CAE reports to senior management and the board on the IAA’s (a) purpose, (b) authority,
      (c) responsibility, and (d) performance. The CAE also reports on significant risk, control, and
      governance issues, as well as other matters upon request.
s    The audit committee and the IAA have interlocking goals. Thus, a strong working relationship is
      essential for them to fulfill their responsibilities.
s    Sound governance depends on the synergy among (a) the board, (b) management, (c) internal
      auditing, and (d) external auditing.
s    The CAE ensures that the IAA’s resources are appropriate, sufficient, and effectively used.
s    The CAE establishes policies and procedures to guide the IAA.

           Copyright © 2008 Gleim Publications, Inc. and/or Gleim Internet, Inc. All rights reserved. Duplication prohibited. www.gleim.com
2    SU 8: Managing the Internal Audit Activity I




8.1 PLANNING
    1.    This subunit concerns the need for risk-based planning for the IAA. Planning for the
           management of the IAA is addressed in one Specific Performance Standard, one
           Assurance Implementation Standard, one Consulting Implementation Standard, and two
           Practice Advisories.
    2.    2010            Planning – The chief audit executive should establish risk-based plans to
                          determine the priorities of the internal audit activity, consistent with the
                          organization’s goals.
           a.      PRACTICE ADVISORY 2010-1: PLANNING
                    1.       Planning for the internal audit activity should be consistent with its charter and
                             with the goals of the organization. The planning process involves establishing:
                             q        Goals.
                             q        Engagement work schedules.
                             q        Staffing plans and financial budgets.
                             q        Activity reports.
                    2.       The goals of the internal audit activity should be capable of being accomplished
                             within specified operating plans and budgets and, to the extent possible,
                             should be measurable. They should be accompanied by measurement criteria
                             and targeted dates of accomplishment.
                    3.       Engagement work schedules should include the following:
                             q        What activities are to be performed;
                             q        When they will be performed; and
                             q        The estimated time required, taking into account the scope of the
                                      engagement work planned and the nature and extent of related work
                                      performed by others.
                    4.       Matters to be considered in establishing engagement work schedule priorities
                             should include:
                             q        The dates and results of the last engagement;
                             q        Updated assessments of risks and effectiveness of risk management and
                                      control processes;
                             q        Requests by senior management, the audit committee, and the governing
                                      body;
                                      NOTE: Governmental regulatory requirements (for example, an audit of
                                      the use of financial assistance provided from public funds) also may be a
                                      source of engagements.
                             q        Current issues relating to organizational governance;
                             q        Major changes in the enterprise’s business, operations, programs,
                                      systems, and controls;
                             q        Opportunities to achieve operating benefits; and
                             q        Changes to and capabilities of the audit staff. The work schedules should
                                      be sufficiently flexible to cover unanticipated demands on the internal audit
                                      activity.




         Copyright © 2008 Gleim Publications, Inc. and/or Gleim Internet, Inc. All rights reserved. Duplication prohibited. www.gleim.com
SU 8: Managing the Internal Audit Activity I                                                                                          3




                                                                PA Summary

     q       Planning for the IAA is subject to its charter and organizational goals. The
              process establishes (1) goals, (2) work schedules, (3) staffing plans and financial
              budgets, and (4) activity reports.
     q       IAA goals should be (1) accomplished within specified plans and budgets,
              (2) measurable, and (3) accompanied by criteria and accomplishment dates.
     q       Work schedules answer the questions what is to be done, when, and how long
              (considering work planned and the work performed by others).
     q       Setting work schedule priorities requires consideration of matters ranging from
              results of prior engagements to changes in the entity’s business.


     b.      PRACTICE ADVISORY 2010-2: LINKING THE AUDIT PLAN TO RISK AND
              EXPOSURES
              1.       The internal audit activity’s plan should be designed based on an assessment
                       of risk and exposures that may affect the organization. Ultimately, the
                       objective is to provide management with information to mitigate the negative
                       consequences associated with accomplishing the organization’s objectives. The
                       degree or materiality of exposure can be viewed as risk mitigated by
                       establishing control activities.
                       NOTE: Risk is concerned with the probability rather than the certainty of loss.
                       Assessing the risk of an activity involves analysis of numerous factors,
                       estimation of probabilities and amounts of potential losses, and an appraisal of
                       the costs and benefits of risk reduction. Consequently, in assessing the
                       magnitude of risk associated with any factor in a risk model, the necessity of
                       informed judgment by the internal auditor is implied.
              2.       The audit universe can include components from the organization’s strategic
                       plan. By incorporating components of the organization’s strategic plan, the audit
                       universe will consider and reflect the overall business plan objectives.
                       Strategic plans are also likely to reflect the organization’s attitude toward risk
                       and the degree of difficulty in achieving planned objectives. It is advisable
                       to assess the audit universe on at least an annual basis to reflect the most
                       current strategies and direction of the organization. The audit universe can be
                       influenced by the results of the risk management process. When developing
                       plans, the outcomes of the risk management process should be considered.
              3.       Work schedules should be based on, among other factors, an assessment of
                       risk priority and exposure. Prioritizing is needed to make decisions for
                       applying relative resources based on the significance of risk and exposure. A
                       variety of risk models exist to assist the chief audit executive in prioritizing
                       potential engagement subject areas. Most risk models use risk factors to
                       establish the priority of engagements, such as dollar materiality, asset liquidity,
                       management competence, quality of internal controls, degree of change or
                       stability, time of last engagement, complexity, and employee and government
                       relations.
              4.       Changes in management direction, objectives, emphasis, and focus should be
                       reflected in updates to the audit universe and related plan.
              5.       In conducting engagements, methods and techniques for testing and validating
                       exposures should be reflective of the risk materiality and likelihood of
                       occurrence.



   Copyright © 2008 Gleim Publications, Inc. and/or Gleim Internet, Inc. All rights reserved. Duplication prohibited. www.gleim.com
4    SU 8: Managing the Internal Audit Activity I




                    6.       Management reporting and communication should convey risk management
                             conclusions and recommendations to reduce exposures. For management to
                             fully understand the degree of exposure, it is critical that reporting identify the
                             criticality and consequence of the risk activity to achieving objectives.
                    7.       The chief audit executive should, at least annually, prepare a statement of the
                             adequacy of internal controls to mitigate risks. This statement should also
                             comment on the significance of unmitigated risk and management’s acceptance
                             of such risk.


                                                                      PA Summary

           q       The IAA’s plan is based on an assessment of risk and exposure. The objective
                    is to provide information to help management mitigate the negative consequences
                    of accomplishing the organization’s objectives. The degree of exposure is risk
                    mitigated by control.
           q       The audit universe may reflect the organization’s strategic plan. Thus, it may
                    reflect (1) the overall business objectives, (2) the attitude toward risk, (3) the
                    difficulty of reaching objectives, and (4) the results of risk management. The audit
                    universe should be assessed at least annually to reflect the most current
                    strategies and direction of the organization.
           q       Work schedules are based on an assessment of risk priority and exposure.
                    Various risk models may be used to prioritize engagements. Most risk models
                    are based on risk factors, e.g., quality of controls, degree of change, or
                    materiality.
           q       The audit universe and plan must be updated for changes in management
                    direction.
           q       Methods of testing exposures should reflect risk materiality and probability.
           q       Management reporting must state risk management conclusions and
                    recommendations. It also must identify the criticality and consequence of the
                    risk activity.
           q       The CAE should prepare an annual statement of the adequacy of controls, the
                    significance of unmitigated risk, and management’s acceptance of such risk.


    3.    2010.A1 – The internal audit activity’s plan of engagements should be based on a risk
           assessment, undertaken at least annually. The input of senior management and the board
           should be considered in this process.
    4.    2010.C1 – The chief audit executive should consider accepting proposed consulting
           engagements based on the engagement’s potential to improve management of risks, add
           value, and improve the organization’s operations. Those engagements that have been
           accepted should be included in the plan.




         Copyright © 2008 Gleim Publications, Inc. and/or Gleim Internet, Inc. All rights reserved. Duplication prohibited. www.gleim.com
     SU 8: Managing the Internal Audit Activity I                                                                                           5



8.2 COMMUNICATION OF PLANS
    1.    This subunit concerns communicating the IAA’s plans to senior management and the board.
           The topic is covered in one Specific Performance Standard and one Practice Advisory.
    2.    2020            Communication and Approval – The chief audit executive should communicate
                          the internal audit activity’s plans and resource requirements, including significant
                          interim changes, to senior management and to the board for review and approval.
                          The chief audit executive should also communicate the impact of resource
                          limitations.
           a.      PRACTICE ADVISORY 2020-1: COMMUNICATION AND APPROVAL
                    1.       The chief audit executive should submit annually to senior management for
                             approval, and to the board for its information, a summary of the internal audit
                             activity’s work schedule, staffing plan, and financial budget. The chief audit
                             executive should also submit all significant interim changes for approval and
                             information. Engagement work schedules, staffing plans, and financial budgets
                             should inform senior management and the board of the scope of internal
                             auditing work and of any limitations placed on that scope.
                    2.       The approved engagement work schedule, staffing plan, and financial budget,
                             along with all significant interim changes, should contain sufficient information to
                             enable the board to ascertain whether the internal audit activity’s objectives and
                             plans support those of the organization and the board.


                                                                      PA Summary

           q       The CAE annually submits to senior management for approval and to the board a
                    summary of the IAA’s work schedule, staffing plan, and financial budget. The
                    CAE also submits all significant interim changes. The scope of work and any
                    limitations on it should be disclosed.
           q       These communications should allow the board to determine whether the IAA’s
                    objectives and plans are consistent with the organization’s.




         Copyright © 2008 Gleim Publications, Inc. and/or Gleim Internet, Inc. All rights reserved. Duplication prohibited. www.gleim.com
6    SU 8: Managing the Internal Audit Activity I




8.3 REPORTING
    1.    This subunit addresses reporting of the IAA’s accomplishments and other matters. The topic
           is the subject of one Specific Performance Standard and one Practice Advisory.
    2.    2060            Reporting to the Board and Senior Management – The chief audit executive
                          should report periodically to the board and senior management on the internal
                          audit activity’s purpose, authority, responsibility, and performance relative to its
                          plan. Reporting should also include significant risk exposures and control issues,
                          corporate governance issues, and other matters needed or requested by the board
                          and senior management.
           a.      PRACTICE ADVISORY 2060-1: REPORTING TO THE BOARD AND SENIOR
                    MANAGEMENT
                    1.       The chief audit executive should submit activity reports to senior management
                             and to the board at least annually. Activity reports should highlight significant
                             engagement observations and recommendations and should inform senior
                             management and the board of any significant deviations from approved
                             engagement work schedules, staffing plans, and financial budgets, and the
                             reasons for them.
                    2.       Significant engagement observations are those conditions that, in the
                             judgment of the chief audit executive, could adversely affect the organization.
                             Significant engagement observations may include conditions dealing with
                             irregularities, illegal acts, errors, inefficiency, waste, ineffectiveness, conflicts of
                             interest, and control weaknesses. After reviewing such conditions with senior
                             management, the chief audit executive should communicate significant
                             engagement observations and recommendations to the board, whether or not
                             they have been satisfactorily resolved.
                    3.       Management’s responsibility is to make decisions on the appropriate action to
                             be taken regarding significant engagement observations and recommendations.
                             Senior management may decide to assume the risk of not correcting the
                             reported condition because of cost or other considerations. The board should
                             be informed of senior management’s decisions on all significant observations
                             and recommendations.
                    4.       The chief audit executive should consider whether it is appropriate to inform the
                             board regarding previously reported, significant observations and
                             recommendations in those instances when senior management and the board
                             assumed the risk of not correcting the reported condition. This may be
                             particularly necessary when there have been organization, board, senior
                             management, or other changes.
                    5.  In addition to subjects covered above, activity reports should also compare
                        (a) actual performance with the internal audit activity’s goals and engagement
                        work schedules, and (b) expenditures with financial budgets. Reports
                        should explain the reason for major variances and indicate any action taken or
                        needed.
                     NOTE: Thus, the CAE should report key performance indicators.




         Copyright © 2008 Gleim Publications, Inc. and/or Gleim Internet, Inc. All rights reserved. Duplication prohibited. www.gleim.com
     SU 8: Managing the Internal Audit Activity I                                                                                           7




                                                                      PA Summary

           q       The CAE submits activity reports at least annually. They describe (1) significant
                    engagement observations (those adversely affecting the organization) and
                    recommendations and (2) significant deviations from work schedules, staffing
                    plans, and financial budgets, and the reasons for them.
           q       Significant observations and recommendations are reviewed with senior
                    management and then communicated to the board, whether or not resolved.
           q       Management is responsible for making decisions about actions to be taken but
                    may assume the risk of not correcting the reported conditions. The board should
                    be informed of all decisions regarding significant matters.
           q       The CAE considers whether the board should be informed about previously
                    reported significant matters when senior management and the board assumed
                    the risk of not correcting the reported condition.
           q       Activity reports also compare (1) performance with goals and work schedules and
                    (2) expenditures with budgets. Reports explain major variances and indicate
                    action taken or needed.



8.4 RELATIONSHIP WITH THE AUDIT COMMITTEE
    1.    This subunit consists of one Practice Advisory that describes the IAA’s roles and
           responsibilities in its dealings with the governance body commonly known as the audit
           committee. The PA interprets Standard 2060 (see Subunit 8.3). The subunit also contains
           additional outlines of the audit committee’s characteristics and responsibilities, including a
           sample charter.
           a.      PRACTICE ADVISORY 2060-2: RELATIONSHIP WITH THE AUDIT COMMITTEE
                    1.       The term “audit committee,” as used in this document, refers to the governance
                             body that is charged with oversight of the organization’s audit and control
                             functions. Although these fiduciary duties are often delegated to an audit
                             committee of the board of directors, the information in this Practice Advisory is
                             also intended to apply to other oversight groups with equivalent authority and
                             responsibility, such as trustees, legislative bodies, owners of an owner-managed
                             entity, internal control committees, or full boards of directors.
                    2.       The Institute of Internal Auditors recognizes that audit committees and internal
                             auditors have interlocking goals. A strong working relationship with the
                             audit committee is essential for each to fulfill its responsibilities to senior
                             management, board of directors, shareholders, and other outside parties. This
                             Practice Advisory summarizes The Institute’s views concerning the aspects and
                             attributes of an appropriate relationship between an audit committee and the
                             internal audit function. The Institute acknowledges that audit committee
                             responsibilities encompass activities that are beyond the scope of this advisory
                             and in no way intends it to be a comprehensive description of audit committee
                             responsibilities.




         Copyright © 2008 Gleim Publications, Inc. and/or Gleim Internet, Inc. All rights reserved. Duplication prohibited. www.gleim.com
8   SU 8: Managing the Internal Audit Activity I




                  3.       There are three areas of activities that are key to an effective relationship
                           between the audit committee and the internal audit function, chiefly through the
                           Chief Audit Executive (CAE):
                           q        Assisting the audit committee to ensure that its charter, activities, and
                                    processes are appropriate to fulfill its responsibilities.
                           q        Ensuring that the charter, role, and activities of internal audit are clearly
                                    understood and responsive to the needs of the audit committee and the
                                    board.
                           q        Maintaining open and effective communications with the audit
                                    committee and the chairperson.
                  Audit Committee Responsibilities
                  4.       The CAE should assist the committee in ensuring that the charter, role and
                           activities of the committee are appropriate for it to achieve its responsibilities.
                           The CAE can play an important role by assisting the committee to
                           periodically review its activities and suggesting enhancements. In this way,
                           the CAE serves as a valued advisor to the committee on audit committee and
                           regulatory practices. Examples of activities that the CAE can undertake are:
                           q        Reviewing the charter for the audit committee at least annually and
                                    advise the committee whether the charter addresses all responsibilities
                                    directed to the committee in any terms of reference or mandates from the
                                    board of directors.
                           q        Reviewing or maintaining a planning agenda for the audit committee’s
                                    meeting that details all required activities to ascertain whether they are
                                    completed. The agenda assists the committee in reporting to the board
                                    annually that it has completed all assigned duties.
                           q        Drafting the audit committee’s meeting agenda for the chairman’s
                                    review, facilitating the distribution of the material to the audit committee
                                    members, and writing up the minutes of the audit committee meetings.
                           q        Encouraging the audit committee to conduct periodic reviews of its
                                    activities and practices compared with current best practices to ensure
                                    that its activities are consistent with leading practices.
                           q        Meeting periodically with the chairperson to discuss whether the materials
                                    and information being furnished to the committee are meeting their needs.
                           q        Inquiring of the audit committee whether any educational or
                                    informational sessions or presentations would be helpful, such as
                                    training new committee members on risk and controls.
                           q        Inquiring of the committee whether the frequency and time allotted to the
                                    committee are sufficient.
                  Internal Audit Activity’s Role
                  5.       The CAE’s relationship to the audit committee should revolve around a core role
                           of the CAE ensuring that the audit committee understands, supports, and
                           receives all assistance needed from the internal audit function. The IIA supports
                           the concept that sound governance is dependent on the synergy generated
                           among the four principal components of effective corporate governance
                           systems: boards of directors, management, internal auditors, and external
                           auditors. In that structure, internal auditors and audit committees are mutually
                           supportive. Consideration of the work of internal auditors is essential for the
                           audit committee to gain a complete understanding of an organization’s opera-
                           tions. A primary component of the CAE’s role with the committee is to ensure
                           this objective is accomplished and the committee views the CAE as their trusted
                           advisor. The CAE can perform a number of activities to accomplish this role:

       Copyright © 2008 Gleim Publications, Inc. and/or Gleim Internet, Inc. All rights reserved. Duplication prohibited. www.gleim.com
SU 8: Managing the Internal Audit Activity I                                                                                          9



                       q        Request that the committee review and approve the internal audit charter
                                on an annual basis.
                       q        Review with the audit committee the functional and administrative
                                reporting lines of internal audit to ensure that the organizational structure
                                in place allows adequate independence for internal auditors (Practice
                                Advisory 1110-2: Chief Audit Executive (CAE) Reporting Lines).
                       q        Incorporate in the charter for the audit committee the review of hiring
                                decisions, including appointment, compensation, evaluation, retention,
                                and dismissal of the CAE.
                       q        Incorporate in the charter for the audit committee the review and approval
                                of proposals to outsource any internal audit activities.
                       q        Assist the audit committee in evaluating the adequacy of the personnel
                                and budget, and the scope and results of the internal audit activities, to
                                ensure that there are no budgetary or scope limitations that impede the
                                ability of the internal audit function to execute its responsibilities.
                       q        Provide information on the coordination with and oversight of other
                                control and monitoring functions (e.g., risk management, compliance,
                                security, business continuity, legal, ethics, environmental, external audit).
                       q        Report significant issues related to the processes for controlling the
                                activities of the organization and its affiliates, including potential
                                improvements to those processes, and provide information concerning
                                such issues through resolution.
                       q        Provide information on the status and results of the annual audit plan and
                                the sufficiency of department resources to senior management and the
                                audit committee.
                       q        Develop a flexible annual audit plan using an appropriate risk-based
                                methodology, including any risks or control concerns identified by
                                management, and submit that plan to the audit committee for review and
                                approval as well as periodic updates.
                       q        Report on the implementation of the annual audit plan, as approved,
                                including as appropriate any special tasks or projects requested by
                                management and the audit committee.
                       q        Incorporate into the internal audit charter the responsibility for the internal
                                audit department to report to the audit committee on a timely basis any
                                suspected fraud involving management or employees who are
                                significantly involved in the internal controls of the company, assist in the
                                investigation of significant suspected fraudulent activities within the
                                organization, and notify management and the audit committee of the
                                results.
                       q        Inform the audit committee that quality assessment reviews of the
                                internal audit activity should be done every five years to comply with The
                                IIA’s International Standards for the Professional Practice of Internal
                                Auditing (Standards). Regular quality assessment reviews will provide
                                assurance to the audit committee and to management that internal auditing
                                activities conform to Standards.




   Copyright © 2008 Gleim Publications, Inc. and/or Gleim Internet, Inc. All rights reserved. Duplication prohibited. www.gleim.com
10   SU 8: Managing the Internal Audit Activity I




                   Communications with the Audit Committee
                   6.       To a large degree, the overall effectiveness of the CAE and audit committee
                            relationship will revolve around the communications between the parties.
                            Today’s audit committees expect a high level of open and candid
                            communications. If the CAE is to be viewed as a trusted advisor by the
                            committee, communication is the key element. Internal auditing, by definition,
                            can help the audit committee accomplish its objectives by bringing a systematic,
                            disciplined approach to its activities. However, in the absence of appropriate
                            communication, it is not possible for the committee to determine whether internal
                            auditing has met its objectives. The chief audit executive should consider
                            providing communications to the audit committee in the following areas:
                            q        Discussion of sensitive issues in private meetings on a regular basis.
                            q        Annual summary report or assessment of the results of the audit
                                     activities relating to the defined mission and scope of audit work.
                            q        Periodic reports to the audit committee and management summarizing
                                     results of audit activities.
                            q        Information about emerging trends and successful practices in internal
                                     auditing.
                            q        Discussion of fulfillment of committee information needs.
                            q        Review of completeness and accuracy of information submitted.
                            q        Confirmation of coordination of activities between internal and external
                                     auditors. The CAE should determine whether there is any duplication
                                     between the work of the internal and external auditors and give the
                                     reasons for such duplication.


                                                                     PA Summary

          q       The audit committee or its equivalent is a governance body that oversees audit
                   and control.
          q       The audit committee and the IAA have interlocking goals and must have a strong
                   relationship so that both may fulfill their responsibilities.
          q       The CAE assists the audit committee by (1) helping it to review its activities and
                   (2) suggesting enhancements. The CAE may (1) review the audit committee’s
                   charter to advise whether all of the committee’s responsibilities are addressed,
                   (2) review or maintain its planning agenda to determine whether all activities are
                   completed, (3) draft its meeting agenda for review and write up the minutes of
                   meetings, (4) encourage periodic committee reviews for comparison with current
                   best practices, (5) meet with the chair to discuss whether the information
                   received by the audit committee is sufficient, (6) inquire about providing
                   educational presentations, and (7) inquire about the sufficiency of the
                   frequency and time allotted to the audit committee.
          q       The CAE’s core role is to ensure that the audit committee understands, supports,
                   and receives all assistance needed from the IAA. The principal components of an
                   effective governance system are (1) the board, (2) management, (3) the IAA,
                   and (4) external auditing. Consideration of the work of the IAA is essential to the
                   audit committee’s understanding of operations. The CAE ensures
                   (1) accomplishment of this objective and (2) that the audit committee views the
                   CAE as a trusted advisor.




        Copyright © 2008 Gleim Publications, Inc. and/or Gleim Internet, Inc. All rights reserved. Duplication prohibited. www.gleim.com
 SU 8: Managing the Internal Audit Activity I                                                                                           11




       q       The CAE’s role as advisor to the audit committee includes suggesting steps to
                promote the IAA’s status and independence, for example, audit committee review
                of (1) the IAA charter annually, (2) functional and administrative reporting lines,
                (3) decisions about the employment of the CAE, (4) outsourcing of IAA
                functions, (5) personnel and budgets, and (6) scope and results of IAA functions.
       q       The CAE also should (1) develop a risk-based and flexible annual audit plan to
                be approved by the audit committee, (2) report on its implementation, and
                (3) provide information about its results and the sufficiency of IAA resources.
       q       The CAE reports on (1) coordination with and oversight of other control and
                monitoring functions and (2) issues related to control processes. Moreover, the
                CAE includes in the IAA charter the responsibility for timely reporting of
                suspected fraud involving anyone significantly involved in internal control,
                assisting in the investigation, and notifying management and the audit
                committee of the results. The CAE also informs the audit committee that a quality
                assessment review of the IAA should be done every five years to comply with the
                Standards.
       q       Communication is the key element in the relationship of the CAE and the audit
                committee. Thus, regular private meetings should be held. The CAE should
                consider communications about the following: (1) annual and periodic reports,
                (2) trends and practices in auditing, (3) fulfilling the audit committee’s
                information needs, (4) reviewing information for completeness and accuracy,
                and (5) confirming coordination with external auditors and explaining any
                duplication of work.


2.    Audit committees. The audit committee is a subcommittee of outside directors who are
       independent of management. Its purpose is to help keep external and internal auditors
       independent and to assure that the directors are exercising due care.
       a.      The role of an audit committee or an equivalent in strengthening the position of
                auditors is widely recognized. The audit committee should
                1)   Have a written charter developed by its governing authority describing its duties
                      and responsibilities.
                2) Review the independence of the external auditor.
                3) Report to stakeholders (e.g., shareholders). Reports should include a letter
                      from the chair of the audit committee describing its responsibilities and
                      activities.
                4) Monitor compliance with codes of conduct and legal and regulatory standards.
                5) Have sufficient resources.
                6) Oversee the regulatory reporting process.
                7) Monitor instances in which management seeks second opinions on significant
                      accounting issues.
       b.      Many stock exchanges require a listed organization to have an audit committee.
       c.      An audit committee composed of nonmanagement directors promotes the
                independence of all auditors, especially when it selects the external audit firm and
                the chief audit executive. A strong audit committee insulates the auditors from
                influences that may compromise their independence and objectivity.
                1)     An audit committee also may serve as a mediator of disputes between the
                        auditors and management.




     Copyright © 2008 Gleim Publications, Inc. and/or Gleim Internet, Inc. All rights reserved. Duplication prohibited. www.gleim.com
12   SU 8: Managing the Internal Audit Activity I




          d.      Audit Committee Functions
                   1)   Select an external auditor and review the audit fee and the engagement letter
                   2)   Review the external auditor’s overall audit plan
                   3)   Review preliminary annual and interim financial statements
                   4)   Review results of engagements performed by external auditors, including the
                         management letter (advice and observations not required to be communicated
                         by auditing standards)
                   5) Approve the charter of the internal audit activity (Standard 1000)
                   6) Review and approve the internal audit activity’s plans and resource
                         requirements and receive a summary of the IAA’s work schedule, staffing plan,
                         and financial budget (Standard 2020 and PA 2020-1)
                   7) Communicate directly with the chief audit executive, who should regularly
                         attend and participate in meetings (PA 1110-1)
                   8) Review evaluations of risk management, control, and governance processes
                         reported by the internal auditors
                   9) Ensure that engagement results are given due consideration and receive
                         distributions of final engagement communications by the internal auditors
                         (PA 2440-1)
                   10) Review policies on unethical and illegal procedures
                   11) Review financial statements to be transmitted to regulatory agencies
                   12) Participate in the selection of accounting policies
                   13) Review the impact of new or proposed legislation or regulations
                   14) Review the organization’s insurance program
                   15) Consider the effectiveness and efficiency of information systems
                   16) Evaluate executive performance and compensation
          e.      External auditors have recognized the importance of reporting to audit committees
                   or comparable governance bodies. Among the matters that may be communicated
                   are (1) internal-control-related matters, (2) significant accounting policies,
                   (3) management judgments and accounting estimates, (4) significant audit
                   adjustments, (5) disagreements with management, and (6) difficulties encountered
                   during the audit.
                   1)     One of the factors encompassed by the control environment component of
                           internal control is participation by the board, audit committee, or other
                           governing authority. The control consciousness of the organization is
                           improved if the audit committee is (a) independent of management,
                           (b) composed of experienced and respected people, (c) extensively involved in
                           oversight of organizational activities, (d) willing to raise and pursue difficult
                           questions with management, and (e) in close communication with the internal
                           and external auditors.
                   2)     Fraud involving senior management or fraud that materially misstates the
                           financial statements should be reported directly to the audit committee.
                            a)     The external auditors also should obtain assurance that the audit
                                    committee is adequately informed about other illegal acts coming to the
                                    auditors’ attention.




        Copyright © 2008 Gleim Publications, Inc. and/or Gleim Internet, Inc. All rights reserved. Duplication prohibited. www.gleim.com
SU 8: Managing the Internal Audit Activity I                                                                                          13



     f.      The following is The IIA’s sample charter for the audit committee (Sawyer’s Internal
              Auditing, 5th ed., pages 1328-1332):
              Audit Committee Charter
              PURPOSE
              To assist the board of directors in fulfilling its oversight responsibilities for the financial reporting process,
              the system of internal control, the audit process, and the company’s process for monitoring compliance
              with laws and regulations and the code of conduct.
              AUTHORITY
              The audit committee has authority to conduct or authorize investigations into any matters within its
              scope of responsibility. It is empowered to:
                  Appoint, compensate, and oversee the work of any registered public accounting firm employed by the
                  organization.
                  Resolve any disagreements between management and the auditor regarding financial reporting.
                  Pre-approve all auditing and non-audit services.
                  Retain independent counsel, accountants, or others to advise the committee or assist in the conduct
                  of an investigation.
                  Seek any information it requires from employees – all of whom are directed to cooperate with the
                  committee’s requests – or external parties.
                  Meet with company officers, external auditors, or outside counsel, as necessary.
              COMPOSITION
              The audit committee will consist of at least three and no more than six members of the board of
              directors. The board or its nominating committee will appoint committee members and the committee
              chair.
              Each committee member will be both independent and financially literate. At least one member shall be
              designated as the “financial expert,” as defined by applicable legislation and regulation.
              MEETINGS
              The committee will meet at least four times a year, with authority to convene additional meetings, as
              circumstances require. All committee members are expected to attend each meeting, in person or via
              tele- or video-conference. The committee will invite members of management, auditors, or others to
              attend meetings and provide pertinent information, as necessary. It will hold private meetings with
              auditors (see below) and executive sessions. Meeting agendas will be prepared and provided in
              advance to members, along with appropriate briefing materials. Minutes will be prepared.
              RESPONSIBILITIES
              The committee will carry out the following responsibilities:
              Financial Statements
                       q        Review significant accounting and reporting issues, including complex or unusual
                                transactions and highly judgmental areas, and recent professional and regulatory
                                pronouncements, and understand their impact on the financial statements.
                       q        Review with management and the external auditors the results of the audit, including any
                                difficulties encountered.
                       q        Review the annual financial statements, and consider whether they are complete,
                                consistent with information known to committee members, and reflect appropriate
                                accounting principles.
                       q        Review other sections of the annual report and related regulatory filings before release
                                and consider the accuracy and completeness of the information.
                       q        Review with management and the external auditors all matters required to be
                                communicated to the committee under generally accepted auditing standards.
                       q        Understand how management develops interim financial information, and the nature and
                                extent of internal and external auditor involvement.
                       q        Review interim financial reports with management and the external auditors before filing
                                with regulators, and consider whether they are complete and consistent with the
                                information known to committee members.




   Copyright © 2008 Gleim Publications, Inc. and/or Gleim Internet, Inc. All rights reserved. Duplication prohibited. www.gleim.com
14   SU 8: Managing the Internal Audit Activity I




                   Internal Control
                            q        Consider the effectiveness of the company’s internal control system, including information
                                     technology security and control.
                            q        Understand the scope of internal and external auditors’ review of internal control over
                                     financial reporting, and obtain reports on significant findings and recommendations,
                                     together with management’s responses.
                   Internal Audit
                            q        Review with management and the chief audit executive the charter, plans, activities,
                                     staffing, and organizational structure of the internal audit function.
                            q        Ensure there are no unjustified restrictions or limitations, and review and concur in the
                                     appointment, replacement, or dismissal of the chief audit executive.
                            q        Review the effectiveness of the internal audit function, including compliance with The
                                     Institute of Internal Auditors’ Standards.
                            q        On a regular basis, meet separately with the chief audit executive to discuss any matters
                                     that the committee or internal audit believes should be discussed privately.
                   External Audit
                            q        Review the external auditors’ proposed audit scope and approach, including coordination
                                     of audit effort with internal audit.
                            q        Review the performance of the external auditors, and exercise final approval on the
                                     appointment or discharge of the auditors.
                            q        Review and confirm the independence of the external auditors by obtaining statements
                                     from the auditors on relationships between the auditors and the company, including
                                     non-audit services, and discussing the relationships with the auditors.
                            q        On a regular basis, meet separately with the external auditors to discuss any matters that
                                     the committee or auditors believe should be discussed privately.
                   Compliance
                            q        Review the effectiveness of the system for monitoring compliance with laws and
                                     regulations and the results of management’s investigation and follow-up (including
                                     disciplinary action) of any instances of noncompliance.
                            q        Review the findings of any examinations by regulatory agencies, and any auditor
                                     observations.
                            q        Review the process for communicating the code of conduct to company personnel, and for
                                     monitoring compliance therewith.
                            q        Obtain regular updates from management and company legal counsel regarding
                                     compliance matters.
                   Reporting Responsibilities
                            q        Regularly report to the board of directors about committee activities, issues, and related
                                     recommendations.
                            q        Provide an open avenue of communication between internal audit, the external auditors,
                                     and the board of directors.
                            q        Report annually to the shareholders, describing the committee’s composition,
                                     responsibilities and how they were discharged, and any other information required by rule,
                                     including approval of non-audit services.
                            q        Review any other reports the company issues that relate to committee responsibilities.
                   Other Responsibilities
                            q        Perform other activities related to this charter as requested by the board of directors.
                            q        Institute and oversee special investigations as needed.
                            q        Review and assess the adequacy of the committee charter annually, requesting board
                                     approval for proposed changes and ensure appropriate disclosure as may be required by
                                     law or regulation.
                            q        Confirm annually that all responsibilities outlines in this chapter have been carried out.
                            q        Evaluate the committee’s and individual members’ performance on a regular basis.




        Copyright © 2008 Gleim Publications, Inc. and/or Gleim Internet, Inc. All rights reserved. Duplication prohibited. www.gleim.com
    SU 8: Managing the Internal Audit Activity I                                                                                           15



          g.      In response to numerous financial reporting scandals involving large businesses,
                   various countries have enacted laws and regulations relating to corporate
                   governance. These laws and regulations often include provisions addressing the role
                   of the audit committee or a comparable governance body. The following are
                   examples of such provisions:
                   1)     Each member of the audit committee may be required to be independent of
                           the board.
                   2)     The audit committee may be required to be directly responsible for appointing,
                           compensating, and overseeing the work of the external auditors, who should
                           report directly to the audit committee.
                   3)     The audit committee may be required to implement procedures for the receipt,
                           retention, and treatment of complaints about accounting and auditing
                           matters.
                   4)     The audit committee also may be required to be appropriately funded by the
                           organization and may hire independent counsel or other advisors.

8.5 RESOURCE MANAGEMENT
   1.    This subunit addresses management of human resources of the internal audit activity. It
          includes one Specific Performance Standard and one Practice Advisory.
   2.   2030             Resource Management – The chief audit executive should ensure that internal
                         audit resources are appropriate, sufficient, and effectively deployed to achieve the
                         approved plan.
          a.      PRACTICE ADVISORY 2030-1: RESOURCE MANAGEMENT
                   1.       The chief audit executive (CAE) is primarily responsible for the sufficiency
                            and management of the internal audit resources in a manner that ensures the
                            fulfillment of the internal audit’s responsibilities as detailed in the internal audit
                            charter. This includes effective communications and reporting of resource
                            needs and status to senior management and the board. Internal audit
                            resources may include employees, external resources, or a combination
                            thereof. Ensuring the adequacy of the internal audit resources is ultimately a
                            responsibility of the organization’s board and senior management, and the
                            CAE should assist them in discharging this responsibility.
                   2.       The skills, capabilities and technical knowledge of the internal audit
                            resources must be appropriate for the planned activities. The CAE should
                            conduct a periodic skills assessment or inventory to determine the specific
                            skills required to perform the internal audit activities. The skills assessment
                            should be based on and consider the various needs identified in the risk
                            assessment and audit plan. The CAE should then determine and assign
                            resources that possess the skills, knowledge, and competencies identified by the
                            skills assessment. This may include assessments of technical skills, language
                            skills, business knowledge, fraud detection and prevention, accounting and
                            auditing expertise. The CAE must ensure that the skills assessment is driven
                            by the needs of the audit coverage and that this coverage is not being deter-
                            mined primarily by the capabilities present within the internal audit organization.
                            Recognizing the dynamic nature of risk, the CAE should periodically update the
                            skills assessment. Based on these updates, the CAE may consider needs to
                            increase the skills, capabilities and knowledge of the existing staff. The
                            extent and formality of the skills assessment should be appropriate for the size
                            and complexity of the internal audit function.



        Copyright © 2008 Gleim Publications, Inc. and/or Gleim Internet, Inc. All rights reserved. Duplication prohibited. www.gleim.com
16   SU 8: Managing the Internal Audit Activity I




                   3.       Internal audit resources, both staffing and financial, should be sufficient to
                            execute the audit activities in both the depth and timeliness expected by the
                            audit committee and management. Resourcing plans should consider carefully
                            the resultant audit coverage and components such as
                            a.     The amount of the audit universe that is covered over what period of time.
                            b.     The coverage of the higher risk areas in the plan.
                            c.     The geographic coverage.
                            d.     The capacity for unplanned projects, management requests, or other
                                    non-audit events.
                            e.     The nature and extent of the work to be performed.
                   4.       The CAE must also ensure that resources are effectively deployed. This
                            includes assigning auditors who are competent and qualified for specific
                            assignments. It also includes developing a resourcing approach and
                            organizational structure that are appropriate for the business structure,
                            complexity, and geographical dispersion of the organization.
                   5.       In considering the sufficiency of resourcing levels, if trade-offs are considered
                            for cost or other reasons, the CAE should ensure that the decision process
                            includes clear communications of the impact on the timing or coverage of the
                            objectives stated in the internal audit plan. If the CAE believes that resourcing
                            levels are insufficient to accomplish the internal audit charter, that view should
                            be clearly communicated to the board and senior management for their final
                            determination.
                   6.       From an overall resource management standpoint, the CAE should also consider
                            other aspects such as succession planning, staff evaluation and
                            development programs, and other human resource disciplines. The CAE
                            must also ensure that the resourcing needs of internal audit are appropriately
                            addressed, whether those skills are present or not within in the internal audit
                            function itself. The CAE should consider other approaches to addressing
                            resource needs including external sourcing arrangements, other company
                            employees, or specialized consultants.
                   7.       Because of the critical nature of resources, the CAE should maintain ongoing
                            communications and dialogue with senior management and the board on the
                            adequacy of resources for the internal audit function. At least annually, the CAE
                            should present a detailed summary of status and adequacy of resources to
                            the board. The CAE should ensure that the board is provided with relevant,
                            reliable, and accurate data to demonstrate the adequacy of resources. To that
                            end, the CAE should develop appropriate metrics, goals, and objectives that
                            could be used to monitor the overall adequacy of resources. This can include
                            (a) comparisons of resources to the audit plan, (b) the impacts of temporary
                            shortages or vacancies, (c) educational and training activities, and (d) changes
                            to specific skill needs and requirements as determined by changes in the
                            organization’s businesses or risk profiles and third-party arrangements.




        Copyright © 2008 Gleim Publications, Inc. and/or Gleim Internet, Inc. All rights reserved. Duplication prohibited. www.gleim.com
 SU 8: Managing the Internal Audit Activity I                                                                                           17




                                                                  PA Summary

       q       The CAE is primarily responsible for the sufficiency and management of IAA
                 resources, including effective communication of needs and status to senior
                 management and the board. These parties ultimately must ensure the adequacy
                 of resources. Resources may include employees, external resources, or a
                 combination.
       q       The CAE conducts a periodic skills assessment (inventory) based on the audit
                 coverage needs identified in the risk assessment and audit plan. Audit coverage
                 should not be determined primarily by the capabilities present within the IAA.
                 Updates of the skills assessment may reveal a need to increase the skills,
                 capabilities, and technical knowledge of the staff.
       q       Resources should be sufficient for audit activities performed in the ways expected
                 by the audit committee and management. Resourcing plans address coverage
                 issues such as (1) the amount of the audit universe covered in a given period,
                 (2) high-risk areas, (3) geographic coverage, (4) capacity to meet unplanned
                 demands, and (5) nature and extent of work.
       q       Resources must be effectively deployed. The CAE must assign auditors qualified
                 for their tasks and develop an appropriate resourcing approach and
                 organizational structure.
       q       If cost or other tradeoffs are considered in resource decisions, the CAE should
                 clearly communicate the effects on the timing or coverage of the audit plan and
                 the accomplishment of the IAA’s objectives. If resources are insufficient, that
                 view should be clearly communicated to the board and senior management.
       q       The CAE also considers such matters as succession planning, staff evaluation and
                 development, and other human resource disciplines. Appropriately addressing
                 resource needs may require consideration of the use of external sourcing,
                 specialized consultants, or other employees of the organization.
       q       The CAE should have ongoing communication with senior management and the
                 board about resource adequacy. The CAE also should give the board, at least
                 annually, a detailed summary of resource status and adequacy. The CAE should
                 provide metrics and objectives appropriate for monitoring resource adequacy,
                 for example, (1) comparisons of resources with the audit plan; (2) the effects of
                 temporary shortages; (3) educational and training activities; and (4) changes in
                 skill needs because of changes in businesses, risk profiles, and third-party
                 arrangements.


3.    Job Descriptions
       a.      Facilitate recruiting by stating explicit job requirements
       b.      Provide objective promotion criteria
       c.      Are used to justify adequate salaries
       d.      Express organizational expectations of employees
       e.      Compel the internal audit activity to engage in personnel planning
       f.      May be prepared for the chief audit executive and other administrators
                1)     The internal audit activity’s charter is effectively a job description for the CAE.
                NOTE: The descriptions for the positions of manager, supervisor, and senior are
                presented beginning on the next page (adapted from Sawyer, Dittenhofer, and
                Scheiner, Sawyer’s Internal Auditing, pages 846, 847, and 848, respectively).




     Copyright © 2008 Gleim Publications, Inc. and/or Gleim Internet, Inc. All rights reserved. Duplication prohibited. www.gleim.com
18   SU 8: Managing the Internal Audit Activity I




           MANAGER
                            Purpose
                            q        To administer the internal audit activity of an assigned location or operation.
                            q        To develop a comprehensive, practical program of engagement coverage for the assigned
                                     location or operation.
                            q        To obtain accomplishment of the program in accordance with acceptable engagement
                                     standards and stipulated schedules.
                            q        To maintain effective working relations with executive and operating management.
                            Authority and Responsibility
                            Within the general guidelines provided by the chief audit executive:
                            q        Prepares a comprehensive, long-range program of engagement coverage for the location
                                     to which assigned.
                            q        Identifies those activities subject to engagement coverage, evaluates their significance,
                                     and assesses the degree of risk inherent in the activity in terms of cost, schedule, and
                                     quality.
                            q        Establishes the related departmental structure.
                            q        Obtains and maintains an audit staff capable of accomplishing the internal audit function.
                            q        Assigns engagement areas, staff, and budget to supervisors.
                            q        Develops a system of cost and schedule control over engagement projects.
                            q        Establishes standards of performance and, by review, determines that performance meets
                                     the standards.
                            q        Provides executive management within the assigned location with reports on engagement
                                     coverage and engagement results, and interprets those results so as to improve the
                                     engagement program and the engagement coverage.
                            q        Establishes and monitors accomplishment of objectives directed toward increasing the
                                     internal audit activity’s ability to serve management.
          SUPERVISOR
                            Purpose
                            q        To develop a comprehensive, practical program of engagement coverage for assigned
                                     areas.
                            q        To supervise the activities of staff assigned to the review of various organizational and
                                     functional activities.
                            q        To ensure conformance with acceptable standards, plans, budgets, and schedules.
                            q        To maintain effective working relations with operating management.
                            q        To provide for and conduct research and develop manuals and training guides.
                            Authority and Responsibility
                            Under the general guidance of a manager:
                            q        Supervises the work of staff engaged in the reviews of organizational and functional
                                     activities.
                            q        Provides a comprehensive, practical schedule of annual engagement coverage within
                                     general areas assigned by the manager.
                            q        Determines areas of risk and appraises their significance in relation to operational factors
                                     of cost, schedule, and quality. Classifies engagement projects as to degree of risk and
                                     significance and as to frequency of coverage.
                            q        Provides for flexibility in engagement schedules so as to be responsive to management’s
                                     special needs.
                            q        Schedules projects and staff assignments so as to comply with management’s needs,
                                     within the scope of the internal audit activity’s overall schedule.
                            q        Coordinates the program with the organization’s public accountant.
                            q        Reviews and approves the purpose, scope, and approach of each engagement project for
                                     assigned areas.
                            q        Directs engagement projects to see that professional standards are maintained in the
                                     planning and execution and in the accumulation of information.
                            q        Counsels and guides staff to see that the approved engagement objectives are met and
                                     that adequate, practical coverage is achieved.
                            q        Reviews and edits engagement communications and, in organizations with the auditor-
                                     in-charge for the assigned project, discusses the communications with appropriate
                                     management.
                            q        Presents oral briefing to branch-level management.

        Copyright © 2008 Gleim Publications, Inc. and/or Gleim Internet, Inc. All rights reserved. Duplication prohibited. www.gleim.com
SU 8: Managing the Internal Audit Activity I                                                                                          19



                       q        Provides for and performs research on engagement techniques.
                       q        Provides formal plans for the recruiting, selecting, training, evaluating, and supervising of
                                staff personnel. Develops manuals and other training aids.
                       q        Accumulates data, maintains records, and prepares reports on the administration of
                                engagement projects and other assigned activities.
                       q        Identifies factors causing deficient conditions and recommends courses of action to
                                improve the conditions, including special surveys and audits.
                       q        Provides for a flow of communication from operating management to the manager and to
                                the chief audit executive. Assists in evaluating overall results of the engagements.
      SENIOR
                       Purpose
                       q        To conduct reviews of assigned organizational and functional activities.
                       q        To evaluate the adequacy and effectiveness of the management controls over those
                                activities.
                       q        To determine whether organizational units are performing their planning, accounting,
                                custodial, risk management, or control activities in compliance with management
                                instructions, applicable statements of policy and procedures, and in a manner consistent
                                with both organizational objectives and high standards of administrative practice.
                       q        To plan and execute engagements in accordance with accepted standards.
                       q        To report engagement observations and to make recommendations for correcting
                                unsatisfactory conditions, improving operations, and reducing cost.
                       q        To perform special reviews at the request of management.
                       q        To direct the activities of assistants.
                       Authority and Responsibility
                       Under the general guidance of a supervisor:
                       q        Surveys functions and activities in assigned areas to determine the nature of operations
                                and the adequacy of the system of control to achieve established objectives.
                       q        Determines the direction and thrust of the proposed engagement effort.
                       q        Plans the theory and scope of the engagement, and prepares an engagement work
                                program.
                       q        Determines the engagement procedures to be used, including statistical sampling and the
                                use of information technology.
                       q        Identifies the key control points of the system.
                       q        Evaluates a system’s effectiveness through the application of a knowledge of business
                                systems, including financial, manufacturing, engineering, procurement, and other
                                operations, and an understanding of engagement techniques.
                       q        Recommends necessary staff required to complete the engagement.
                       q        Performs the engagement in a professional manner and in accordance with the approved
                                engagement work program.
                       q        Obtains, analyzes, and appraises information as a basis for an informed, objective
                                conclusion (opinion) on the adequacy and effectiveness of the system and the efficiency of
                                performance of the activities being reviewed.
                       q        Directs, counsels, and instructs staff assistants assigned to the engagement, and reviews
                                their work for sufficiency of scope and for accuracy.
                       q        Makes oral or written presentations to management during and at the conclusion of the
                                engagement, discussing observations and recommending corrective action to improve
                                operations and reduce cost.
                       q        Prepares formal written communications, expressing opinions on the adequacy and
                                effectiveness of the system and the efficiency with which activities are carried out.
                       q        Appraises the adequacy of the corrective action taken to improve deficient conditions.




   Copyright © 2008 Gleim Publications, Inc. and/or Gleim Internet, Inc. All rights reserved. Duplication prohibited. www.gleim.com
20    SU 8: Managing the Internal Audit Activity I




     4.    Selection of Staff
            a.      Modern internal auditing demands a superior staff.
                     1)  Staffing provides the personnel necessary to carry on the work of the IAA.
                     2)  Mediocre personnel are incapable of carrying out progressive programs.
                     3)  Each internal auditor must have the capacity to expand his/her abilities as
                          management makes increasing demands for modern services.
            b.      The CAE should set high standards for the staff.
            c.      Professional education, ability, and certain personality traits are needed.
            d.      Source of Staff
                     1)     Promoting from within has many advantages:
                              a) The character, personality, work attitudes, and other personal qualifications
                                  of staff members are known.
                             b) Internal recruits are familiar with organizational policies and practices and
                                  have a broader perspective of operations.
                             c) Experience and work qualifications can be closely evaluated.
                             d) Internal recruiting can promote staff morale.
                     2)     Recruiting experienced personnel externally also has advantages:
                              a)     The organization can attract specific skills needed.
                              b)     The range of possible services is broadened.
                              c)     New ideas are brought to the organization.
                              d)     Training costs are reduced.
                     3)     Recruiting of university graduates is another possibility.
                           a) The organization must be able to train and develop personnel.
                           b) Benefits include updating accounting and auditing skills.
            e.      Interviewing and testing techniques
                     1)     The selection of staff is dependent on evaluating applicants.
                     2)     The interviews should be carefully planned and structured.
                     3)     Competent interviewers should be assigned.
                     4)     Supervisors of the new staff should be present at the interviews.
                     5)     Appropriate questions and forms should be prepared in advance to evaluate
                              a)     Technical qualifications and educational background
                              b)     Personal appearance
                              c)     Ability to communicate
                              d)     Work experience and judgment
                              e)     Motivation
                              f)     Potential to contribute to the organization
                     6)     Applicants who have earned the CIA designation have demonstrated
                             qualifications in internal auditing. Other qualities can be examined by a variety
                             of tests that will vary with the job to be filled.
                              a)     Writing ability. Sawyer, Dittenhofer, and Scheiner suggest requiring a
                                      written engagement communication from the applicant based on a
                                      prescribed format and a hypothetical situation. Grading criteria for
                                      evaluation of writing ability include correctness, conciseness, clarity,
                                      organization, and vocabulary.




          Copyright © 2008 Gleim Publications, Inc. and/or Gleim Internet, Inc. All rights reserved. Duplication prohibited. www.gleim.com
 SU 8: Managing the Internal Audit Activity I                                                                                           21



                         b)     Ability to organize thoughts. Sawyer, Dittenhofer, and Scheiner suggest
                                 the applicant arrange a series of 25 statements to describe an
                                 engagement observation.
                                  i)  The statements are mixed and given identifying numbers. The
                                       applicant is asked to arrange them in proper sequence.
                         c)     Ability to distinguish between fact and speculation. The applicant
                                 must identify the statements of undeniable fact and of mere conjecture in
                                 a brief paragraph.
5.    Training of Staff
       a.      Staff orientation. An adequate orientation program provides reasonable assurance
                that the new employee will become productive promptly. It promotes employee
                morale and deters good employees from leaving.
                1)     The orientation program should be well designed and controlled.
                2)     Appropriate materials should be devised.
                3)     Employees should be familiarized with organizational policies.
                4)     The technical orientation may extend to
                         Introductions to staff personnel and other employees
                         a)
                         Discussion of engagement objectives
                         b)
                         Copies of internal auditing manuals
                         c)
                         Discussion of duties and responsibilities
                         d)
                         Control of work
                         e)
                         General information on the structure of the organization
                         f)
                         Literature on modern internal auditing
                         g)
                         Working paper techniques
                         h)
                         Development of engagement observations
                         i)
                         Communication formats
                         j)
                         Instructor’s follow-up and feedback after new staff member has performed
                         k)
                          actual fieldwork
       b.      Objectives of staff training are to
                1)  Assist internal auditing to do a better job
                2)  Add versatility to the IAA
                3)  Help develop supervisory skill
                4)  Prepare the staff member for promotion
                5)  Improve job satisfaction, organizational loyalty, and productivity
                6)  Improve technical skills
                7)  Update knowledge of new professional pronouncements and reporting
                     techniques (continuing education)
       c.      Possible training formats include
                1)     Formal classroom study
                2)     Self-study
                3)     Attendance at formal meetings of The IIA and other groups
                4)     Industry conferences
                5)     University courses
                6)     On-the-job training
                7)     Research projects




     Copyright © 2008 Gleim Publications, Inc. and/or Gleim Internet, Inc. All rights reserved. Duplication prohibited. www.gleim.com
22    SU 8: Managing the Internal Audit Activity I




            d.      Required components of a successful training program
                     1)     The trainee’s commitment and interest
                     2)     Sufficient time and resources to permit training objectives to be met
                     3)     High-quality training materials
                     4)     Trainee participation
                     5)     Reinforcement
            e.      One aspect of a successful, ongoing training program is holding regular staff
                     meetings to explain new techniques, discuss new policies, and receive suggestions
                     from staff.
     6.    Evaluation of Staff
            a.      A written appraisal of each internal auditor’s performance is required at least
                     annually.
            b.      The evaluation provides a basis for counseling subordinates on their strong and weak
                     attributes, opportunities for advancement, and programs for self-improvement.
            c.      The evaluation is a basis for promotions, transfers, and compensation adjustments.
            d.      The evaluation is done by the person with responsibility for the particular employee.
            e.      Criteria for evaluation are weighted and applied to performance on specific projects.
                     Personnel whose performance is being appraised should be notified of the criteria
                     and methods at the time they begin employment. The criteria include type of skill
                     required, extent of responsibility, scope of effort, and nature of working conditions.
            f.      Each auditor should receive a full explanation of the appraisal and results of his/her
                     evaluation.


8.6 POLICIES AND PROCEDURES
     1.    This subunit concerns the formal guidance to be provided by the chief audit executive. This
            guidance is discussed in one Specific Performance Standard and in one Practice Advisory.
     2.    2040            Policies and Procedures – The chief audit executive should establish policies
                           and procedures to guide the internal audit activity.
            a.      PRACTICE ADVISORY 2040-1: POLICIES AND PROCEDURES
                     1.       The form and content of written policies and procedures should be
                              appropriate to the size and structure of the internal audit activity and the
                              complexity of its work. Formal administrative and technical audit manuals may
                              not be needed by all internal auditing entities. A small internal audit activity
                              may be managed informally. Its audit staff may be directed and controlled
                              through daily, close supervision and written memoranda. In a large internal
                              audit activity, more formal and comprehensive policies and procedures are
                              essential to guide the audit staff in the consistent compliance with the internal
                              audit activity’s standards of performance.


                                                                       PA Summary

            q       Written policies and procedures for the IAA should be appropriate to its size,
                     structure, and work. Formal manuals may not be needed for all IAAs. A small
                     IAA may be managed informally. A large IAA may require more formal and
                     comprehensive policies and procedures.




          Copyright © 2008 Gleim Publications, Inc. and/or Gleim Internet, Inc. All rights reserved. Duplication prohibited. www.gleim.com
 SU 8: Managing the Internal Audit Activity I                                                                                           23



3.    Personnel manuals describe the organization and its relationship to employees, including
       a.      Objectives and goals (also of divisions, subsidiaries, etc.)
       b.      History
       c.      Fringe benefits (medical, pension, life insurance, etc.)
       d.      Vacation and sick-pay policies
       e.      Promotion policies
       f.      Development and training programs
4.    Audit (technical) manuals provide guidance on completing specific engagements in
       compliance with the technical standards and policies of the IAA. They include
       a.      General and specific guidelines on
                1)     Engagement objectives (may classify types of engagements)
                2)     Theory and purpose of internal auditing
                3)     Scope of engagement, engagement work programs, and time budgets
                4)     Working papers
                5)     Engagement communications
                6)     Internal controls
                7)     Internal administration
                8)     Performance standards
       b.      Special technical topics, such as
                1) Information technology auditing
                2) Statistical sampling
                3) Procedures for suspected fraud
                4) Fraud investigations
       c.      Matters related to administration of an individual engagement, such as
                1)     Notification of client about a pending engagement
                2)     Preliminary survey and engagement work program
                3)     Engagement time budget and changes in it
                4)     Application of engagement procedures
                5)     Changes in engagement work programs
                6)     Working paper preparation, review, and control
                7)     Communication draft review with clients
                8)     Communication format
                9)     Communication review
                10)    Client replies to engagement communications
                11)    Follow-up on observations and recommendations
5.    Administrative policy and procedure manuals guide the operation of the IAA. They may
       contain
       a.      The charter
       b.      A policy statement of the relationship of the IAA with other subunits
       c.      The definition of responsibilities of personnel
       d.      An IAA organizational chart
       e.      Approvals required for actions
       f.      Personnel policies unique to the IAA
       g.      Personnel records
       h.      Travel instructions
       i.      Expense reports
       j.      Time reports
       k.      Staff evaluations
       l.      Descriptions for permanent files, temporary files, and working paper retention

     Copyright © 2008 Gleim Publications, Inc. and/or Gleim Internet, Inc. All rights reserved. Duplication prohibited. www.gleim.com
24    SU 8: Managing the Internal Audit Activity I




            m.      Communication preparation and review procedures
            n.      Engagement research responsibilities
            o.      Training and education programs
            p.      The history of the IAA, including the relationship with management and the board, to
                     provide staff auditors with the activity’s philosophy and approach to internal auditing.


8.7 STUDY UNIT 8 SUMMARY
     1.    Planning for the IAA is subject to its charter and organizational goals. The process
            establishes (a) goals, (b) work schedules, (c) staffing plans and financial budgets, and
            (d) activity reports.
     2.    The IAA’s plan is based on assessment of risk and exposure. The objective is to provide
            information to mitigate risk. The audit universe may reflect the organization’s strategic
            plan. Thus, it may reflect (a) the overall business objectives, (b) attitude toward risk, (c) the
            difficulty of reaching objectives, and (d) the results of risk management.
     3.    The CAE annually submits to senior management and the board a summary of the IAA’s
            work schedule, staffing plan, and financial budget. They should disclose the scope of work
            and any limitations on it.
     4.    The CAE submits activity reports at least annually. They (a) highlight significant
            engagement observations (those adversely affecting the organization) and (b) are
            informative of significant deviations from work schedules, etc., and the reasons for them.
            Significant observations and recommendations are reviewed with senior management and
            then communicated to the board, whether or not resolved.
     5.    The audit committee oversees audit and control. The audit committee and the IAA must
            have a strong relationship so that both may fulfill their responsibilities.
     6.    The principal components of the governance system are (a) the board, (b) management,
            (c) the IAA, and (d) external auditing. Considering the work of the IAA is essential to the
            audit committee’s understanding of operations. The CAE ensures accomplishment of this
            objective and that the audit committee views the CAE as a trusted advisor.
     7.    The CAE’s functions include
            a.      Assisting the audit committee to ensure that its charter, activities, and processes are
                     appropriate to fulfill its responsibilities.
            b.      Ensuring that the charter, role, and activities of internal audit are clearly understood
                     and responsive to the needs of the audit committee and the board.
            c.      Maintaining open and effective communication with the audit committee and the
                     chairperson.
     8.    The CAE is primarily responsible for the sufficiency, appropriateness, and effective
            deployment of the resources of the IAA consistent with the approved audit plan. Thus, the
            CAE must (a) conduct a periodic skills assessment, (b) assign auditors qualified for their
            task, (c) develop an appropriate sourcing approach and organizational structure, (d) clearly
            communicate the effects of resource decisions, (e) consider staff development and
            evaluation, (f) consider use of resources external to the IAA, (g) have ongoing
            communication with senior management and the board about resource adequacy, and
            (h) provide the board at least annually with a detailed summary of resource status.
     9.    Written policies and procedures for the IAA should be appropriate to its size, structure, and
            work. A small IAA may be managed informally.




          Copyright © 2008 Gleim Publications, Inc. and/or Gleim Internet, Inc. All rights reserved. Duplication prohibited. www.gleim.com

								
To top